[FX.php List] When to start SSL on a site
Leo R. Lundgren
leo at finalresort.org
Thu Apr 8 10:44:04 MDT 2010
That's just fine, becase we all know you use a version control system
(SVN, Git, Mercurial, Bazaar, etc), and can therefore simply revert
the changes you've made regarding ssl and non-ssl folders :-D
8 apr 2010 kl. 18.35 skrev Jonathan Schwartz:
> From my favorite move, "When Harry Meets Sally",..."Your're right.
> You're right. I know you're right".
>
> And I just got finished splitting the pages into ssl and non-ssl
> directories.. Grrrr.....
>
> Thanks guys. I know what I have to do now.
>
>
> Jonathan
>
>
>
> At 9:44 AM -0500 4/8/10, Dale Bengston wrote:
>> Agreed all the way around. If you're implementing SSL, just put
>> your entire web app in that environment.
>>
>> Dale
>>
>> On Apr 8, 2010, at 9:24 AM, Leo R. Lundgren wrote:
>>
>>> If I make a site that needs to be secured, and HTTPS is part of
>>> it, I default to using HTTPS for the entire site. Why wait?
>>>
>>> So in short; I rewrite/redirect HTTP to HTTPS in order to force
>>> the latter.
>>>
>>> Regarding the form; IMO it's vital that you don't output the login
>>> form on a page that is insecure. Consider the possibility that an
>>> attacker hijacks the insecure page on which the login form is, and
>>> thereby managed to change the URL that the form targets.. In such
>>> a situation it doesn't matter that the URL you *indended* the form
>>> to target is secure, because the form itself isn't.
>>>
>>>
>>> 8 apr 2010 kl. 15.55 skrev Jonathan Schwartz:
>>>
>>>> Hi Folks,
>>>>
>>>> Just thought I would throw this out...
>>>>
>>>> In creating a site that starts out with non-ssl content (5-6
>>>> pages) and offers a login to access ssl content, where do you
>>>> switch over to the ssl content? Specifically, if the login form
>>>> is embedded in all the non ssl pages (user can login from any of
>>>> the non-ssl pages) and the form action points to a page on the
>>>> ssl side for login validation, is this considered secure? I'm
>>>> thinking not, but then how do you offer a secure login without
>>>> making the entire site ssl/https?
>>>>
>>>> Thanks for listening.
>>>>
>>>> Jonathan
>>>> --
>>>> Jonathan Schwartz
>>>> Exit 445 Group
>>>> jonathan at exit445.com
>>>> http://www.exit445.com
>>>> 415-370-5011
>>>> _______________________________________________
>>>> FX.php_List mailing list
>>>> FX.php_List at mail.iviking.org
>>>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>>
>>>
>>>
>>> -|
>>>
>>> _______________________________________________
>>> FX.php_List mailing list
>>> FX.php_List at mail.iviking.org
>>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>
>> _______________________________________________
>> FX.php_List mailing list
>> FX.php_List at mail.iviking.org
>> http://www.iviking.org/mailman/listinfo/fx.php_list
>
>
> --
> Jonathan Schwartz
> Exit 445 Group
> jonathan at exit445.com
> http://www.exit445.com
> 415-370-5011
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
-|
More information about the FX.php_List
mailing list